file identification in ios - national institute of standards
TRANSCRIPT
Questions:
• Can the NSRL method of file identification be
used to identify files on a device running iOS?
• Once identified, can applications be
automatically classified by their behavior?
Presentation Overview
• Applying the NSRL methodology to iOS – Brief anatomy of iOS file system
– Brief anatomy of iOS applications
– File identification on an iPhone
• Methods for describing application functionality – Manifest files
– Examining application binaries
• Benefits / Future Work
Anatomy of the iOS File System
NAND Storage
System Partition
OS Files Factory Installed
Applications
/private/var
User Data and Applications
Anatomy of an iOS Application
Application Zip File (ipa)
iTunesArtwork iTunesMetadata.plist Payload
Application files and resources
Info.plist
iPhone File Identification
• Application corpus of 91 applications
– 49,403 files
– 43,462 unique files
• File sets extracted from 1st generation iPhone
– Set 1: No applications (used as baseline)
– Set 2: One application synced to phone
– Set 3: 33 (all compatible) corpus applications synced to phone
Uniqueness of Files
173
477
151
446
0
100
200
300
400
500
600
iPhone No Applications ( Set 1 ) iPhone with Amazon.app ( Set 2 )
# of Files # of Unique Files
Uniqueness of Files in Set 3
20030
17095
0
2500
5000
7500
10000
12500
15000
17500
20000
iPhone with 33 Applications( set 3 )
File Unique
File Identification in Set 2
138 119
296 289
43 38
0
100
200
300
400
500
600
# Files in Set 2 # Unique Files in Set 2
Overlap with Set 1 Overlap with Amazon.app Unidentified Files
File Identification in Set 3
149 118
19799
16487
380
726
0
5000
10000
15000
20000
25000
# Files in Set 3 # Unique Files in Set 3
Overlap with Set 1 Overlap with Corpus Unidentified Files
98.8 % 96.4 %
Describing Application Functionality
• Info.plist
• Examining application binary files
Info.plist
Info.plist
• Dictionary of key-value pairs
– UIDeviceFamily / MinimumOSVersion
– UIRequiresPersistantWifi
– UIBackgroundModes
• Describes how the application functions when backgrounded
*http://developer.apple.com/library/ios/#documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html
Info.plist Continued…
– UIRequiredDeviceCapabilities
• Specifies hardware requirements: – GPS and location services
– Accelerometer
– Front or rear facing cameras
– Bluetooth
– SMS
• Requirements not declared are still permitted
Examining Application Binary Files
• String Search of binary files
• Apple Developer Libraries embedded in plain text
• Identified 70 unique library names
Notable Observed Libraries
Library Name # Times Observed
CoreLocation.framework/CoreLocation 69
libsqlite3.dylib 65
AddressBook.framework/AddressBook 53
CoreTelephony.framework/CoreTelephony 44
GameKit.framework/GameKit 33
Twitter.framework/Twitter 15
ExternalAccessory.framework/ExternalAccessory
2
Frequencies of Observed Libraries
0
10
20
30
40
50
60
70
80
90
100
/usr
/lib
/lib
Syst
em.B
.dyl
ib
/usr
/lib
/lib
ob
jc.A
.dyl
ib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/U
IKit
.f…
/usr
/lib
/lib
gcc_
s.1.
dyl
ib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/Q
uar
t…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/A
ud
io…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/M
edi
a…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/C
FNet
…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/C
ore
L…
/usr
/lib
/lib
std
c++.
6.d
ylib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/O
pen
…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/Se
curi
…
/Sys
tem
/Lib
rary
/Fra
me
wo
rks/
Co
reT…
/usr
/lib
/lib
xml2
.2.d
ylib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/A
dd
re…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/G
ame…
/Sys
tem
/Lib
rary
/Fra
me
wo
rks/
Eve
nt…
/Sys
tem
/Lib
rary
/Fra
me
wo
rks/
Co
reT…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/Tw
itt…
/usr
/lib
/lib
icu
core
.A.d
ylib
/usr
/lib
/lib
ico
nv.
2.d
ylib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/A
sset
s…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/Im
age…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/A
ccel
…
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/Ex
ter…
/usr
/lib
/sys
tem
/lib
lau
nch
.dyl
ib
/usr
/lib
/sys
tem
/lib
cop
yfile
.dyl
ib
/usr
/lib
/sys
tem
/lib
syst
em
_sa
nd
bo
x.…
/usr
/lib
/sys
tem
/lib
rem
ove
file
.dyl
ib
/usr
/lib
/sys
tem
/lib
xpc.
dylib
/usr
/lib
/sys
tem
/lib
dis
pat
ch.d
ylib
/usr
/lib
/sys
tem
/lib
com
pile
r_rt
.dyl
ib
/usr
/lib
/sys
tem
/lib
keym
gr.d
ylib
/Sys
tem
/Lib
rary
/Fra
mew
ork
s/C
ore
I…
/usr
/lib
/sys
tem
/lib
mac
ho
.dyl
ib
Potential Benefits
• Augment the RDS
• Identify files on iOS devices
• Build iOS application behavior profiles
• Build iOS device capability profiles
Future Work
• Incorporate iOS application acquisition into NSRL acquisition chain ✓
• Build iOS Library Data Dictionary
• Build DFXML iOS data set
• Determine applicability to iPhone backup files
– File fragments and fuzzy hashing
• Determine applicability to iCloud
• Expanding into the Android platform
Acknowledgements
• Zdziarski, J. (2003). iPhone Forensics. Sebastopol, CA: O’Reilly Media Inc.